Hello Reader,
In our last post in this series we looked at how to find the raw values that make up the Extended MAPI we found within Outlook Spy. In order to get this data we had to export out the message out of Outlook and into a MSG file on my desktop. I had to do this to get the MSG file loaded into structured storage viewer and as a byproduct you should have noticed that our PR_CREATION_TIME timestamp got reset to the time of export.
Now this to me was interesting, that means that PR_CREATION_TIME relates not to when the MSG structure was first made and stored but each iteration of the message will reset the PR_CREATION_TIME as seen below.
So we can determine when exactly someone exported the message out of the mailbox and onto the disk. Tomorrow we can do some testing on copying this MSG to external storage devices to find out if this time gets reset or if it gets preserved (my hypothesis is that it will remain even after the MSG creation time gets reset from the copy). Today though I want to show you we can still determine when the message was originally received and stored in the mailbox it was sent to.
We can see this in PR_MESSAGE_DELIVERY_TIME as shown below
PR_MESSAGE_DELIVERY_TIME is still showing the original creation date we saw in part 2 of this blog series. Further testing is needed to see what effects these dates but within an exported MSG that would appear to be a reliable set of dates.
Tomorrow more MSG experiments and then onward into other Extended MAPI fields.
Continue Reading: Daily Blog #386 - Exploring Extended MAPI Part 3
Post a Comment